Introduction
Privilege escalation to kernel level on a fully patched Windows system running a mainstream antivirus product is a scenario that immediately raises concern for defenders and enterprise administrators. CVE-2025-3500 is a critical integer overflow vulnerability in Avast Antivirus that enables exactly this outcome, allowing local attackers to gain SYSTEM privileges through a flaw in the aswbidsdriver kernel driver. Avast, now part of Gen Digital Inc., is a major player in the consumer security market with over 400 million users worldwide. The broad install base and the nature of the vulnerability make this a high-priority issue for organizations and individuals relying on Avast for endpoint protection.
Technical Information
CVE-2025-3500 is rooted in the aswbidsdriver kernel driver included with Avast Antivirus for Windows. The vulnerability arises due to improper validation of user-supplied data before performing arithmetic operations to calculate buffer sizes for memory allocation. Specifically, when processing IOCTL requests, the driver uses input values directly in calculations without ensuring they remain within safe bounds. If an attacker submits a specially crafted IOCTL request with input values designed to trigger an integer overflow, the resulting buffer allocation is much smaller than intended. Subsequent operations that assume the buffer is of the original intended size can then overwrite adjacent kernel memory, leading to heap-based buffer overflows.
The vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). Exploitation requires local access but is otherwise low complexity. A successful attack allows a user with low privileges to execute arbitrary code in kernel mode, effectively granting full control over the system. The flaw is present in code paths handling IOCTL requests to the aswbidsdriver, which is loaded by default in affected Avast versions.
Affected Systems and Versions
- Product: Avast Antivirus for Windows
- Affected versions: 25.1.981.6 up to but not including 25.3.9983.922
- The vulnerability is present in the aswbidsdriver kernel driver shipped with these versions
- All default installations of Avast Antivirus within this version range are affected
Vendor Security History
Avast has experienced several notable kernel driver vulnerabilities in recent years. CVE-2022-26522 and CVE-2022-26523, both discovered in 2022, involved privilege escalation via flaws in the aswArPot.sys anti-rootkit driver. These issues were also related to improper validation of user input and were exploited in the wild by ransomware groups using bring-your-own-vulnerable-driver techniques. Avast's response to CVE-2025-3500 was relatively prompt, with a patch released within weeks of disclosure, but the recurrence of similar vulnerabilities suggests ongoing challenges in secure driver development and code auditing.
